Login Sign Up

CVE-2023-46552

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability is a stack overflow in the formMultiAP function of TOTOLINK X2000R routers, allowing remote attackers to execute arbitrary code or crash the device. It affects users of TOTOLINK X2000R routers with firmware version 1.0.0-B20230221.0948.web. The high CVSS score indicates critical severity requiring immediate attention.

💻 Affected Systems

Products:
  • TOTOLINK X2000R
Versions: v1.0.0-B20230221.0948.web
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects web interface functionality; no special configuration required for exploitation.

📦 What is this software?

X2000r Firmware by Totolink

View all CVEs affecting X2000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the router, enabling traffic interception, network pivoting, or permanent device compromise.

🟠

Likely Case

Remote code execution leading to router compromise, denial of service, or credential theft from connected devices.

🟢

If Mitigated

If isolated from untrusted networks, impact limited to denial of service or local network compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub repository contains detailed analysis; stack overflow suggests straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor site for updated firmware

Vendor Advisory: https://totolink.cn/home/menu/detail.html?menu_listtpl=download&id=85&ids=36

Restart Required: Yes

Instructions:

1. Visit TOTOLINK download page. 2. Download latest firmware for X2000R. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable web interface from WAN

all

Prevent external access to vulnerable interface

Router-specific: Disable 'Remote Management' in admin settings

Network segmentation

all

Isolate router management interface to trusted network

Firewall rule: Block inbound traffic to router port 80/443 from untrusted networks

🧯 If You Can't Patch

  • Place router behind firewall with strict inbound rules
  • Disable all unnecessary services on router

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or Firmware Upgrade page

Check Version:

Router-specific: Log into web interface and check firmware version

Verify Fix Applied:

Confirm firmware version is newer than v1.0.0-B20230221.0948.web

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to formMultiAP endpoint
  • Router crash/reboot logs
  • Multiple failed web interface access attempts

Network Indicators:

  • Exploit-sized payloads to router web port
  • Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="*formMultiAP*" OR message="*crash*" OR message="*reboot*")

📊 Metadata

CVE ID: CVE-2023-46552
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: October 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46552, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)